mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
a7e867a699
This commit replaces github.com/spf13/viper with github.com/knadh/koanf. Koanf is very similar library to viper, with less dependencies and several quality of life differences. This also allows most config options to be defined by ENV. Lastly it also enables the use of split configuration files which can be configured by setting the --config flag multiple times. Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
288 lines
13 KiB
Go
288 lines
13 KiB
Go
package configuration
|
|
|
|
import (
|
|
"fmt"
|
|
"io/ioutil"
|
|
"os"
|
|
"path/filepath"
|
|
"runtime"
|
|
"sort"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
|
|
"github.com/authelia/authelia/internal/configuration/schema"
|
|
"github.com/authelia/authelia/internal/configuration/validator"
|
|
"github.com/authelia/authelia/internal/utils"
|
|
)
|
|
|
|
func TestShouldErrorSecretNotExist(t *testing.T) {
|
|
testReset()
|
|
|
|
dir, err := ioutil.TempDir("", "authelia-test-secret-not-exist")
|
|
assert.NoError(t, err)
|
|
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"JWT_SECRET_FILE", filepath.Join(dir, "jwt")))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"DUO_API_SECRET_KEY_FILE", filepath.Join(dir, "duo")))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"SESSION_SECRET_FILE", filepath.Join(dir, "session")))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE", filepath.Join(dir, "authentication")))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"NOTIFIER_SMTP_PASSWORD_FILE", filepath.Join(dir, "notifier")))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"SESSION_REDIS_PASSWORD_FILE", filepath.Join(dir, "redis")))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"SESSION_REDIS_HIGH_AVAILABILITY_SENTINEL_PASSWORD_FILE", filepath.Join(dir, "redis-sentinel")))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"STORAGE_MYSQL_PASSWORD_FILE", filepath.Join(dir, "mysql")))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"STORAGE_POSTGRES_PASSWORD_FILE", filepath.Join(dir, "postgres")))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"TLS_KEY_FILE", filepath.Join(dir, "tls")))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE", filepath.Join(dir, "oidc-key")))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE", filepath.Join(dir, "oidc-hmac")))
|
|
|
|
val := schema.NewStructValidator()
|
|
_, _, err = Load(val, NewEnvironmentSource(DefaultEnvPrefix, DefaultEnvDelimiter), NewSecretsSource(DefaultEnvPrefix, DefaultEnvDelimiter))
|
|
|
|
assert.NoError(t, err)
|
|
assert.Len(t, val.Warnings(), 0)
|
|
|
|
errs := val.Errors()
|
|
require.Len(t, errs, 12)
|
|
|
|
sort.Sort(utils.ErrSliceSortAlphabetical(errs))
|
|
|
|
errFmt := utils.GetExpectedErrTxt("filenotfound")
|
|
|
|
// ignore the errors before this as they are checked by the valdator.
|
|
assert.EqualError(t, errs[0], fmt.Sprintf(errFmtSecretIOIssue, filepath.Join(dir, "authentication"), "authentication_backend.ldap.password", fmt.Sprintf(errFmt, filepath.Join(dir, "authentication"))))
|
|
assert.EqualError(t, errs[1], fmt.Sprintf(errFmtSecretIOIssue, filepath.Join(dir, "duo"), "duo_api.secret_key", fmt.Sprintf(errFmt, filepath.Join(dir, "duo"))))
|
|
assert.EqualError(t, errs[2], fmt.Sprintf(errFmtSecretIOIssue, filepath.Join(dir, "jwt"), "jwt_secret", fmt.Sprintf(errFmt, filepath.Join(dir, "jwt"))))
|
|
assert.EqualError(t, errs[3], fmt.Sprintf(errFmtSecretIOIssue, filepath.Join(dir, "mysql"), "storage.mysql.password", fmt.Sprintf(errFmt, filepath.Join(dir, "mysql"))))
|
|
assert.EqualError(t, errs[4], fmt.Sprintf(errFmtSecretIOIssue, filepath.Join(dir, "notifier"), "notifier.smtp.password", fmt.Sprintf(errFmt, filepath.Join(dir, "notifier"))))
|
|
assert.EqualError(t, errs[5], fmt.Sprintf(errFmtSecretIOIssue, filepath.Join(dir, "oidc-hmac"), "identity_providers.oidc.hmac_secret", fmt.Sprintf(errFmt, filepath.Join(dir, "oidc-hmac"))))
|
|
assert.EqualError(t, errs[6], fmt.Sprintf(errFmtSecretIOIssue, filepath.Join(dir, "oidc-key"), "identity_providers.oidc.issuer_private_key", fmt.Sprintf(errFmt, filepath.Join(dir, "oidc-key"))))
|
|
assert.EqualError(t, errs[7], fmt.Sprintf(errFmtSecretIOIssue, filepath.Join(dir, "postgres"), "storage.postgres.password", fmt.Sprintf(errFmt, filepath.Join(dir, "postgres"))))
|
|
assert.EqualError(t, errs[8], fmt.Sprintf(errFmtSecretIOIssue, filepath.Join(dir, "redis"), "session.redis.password", fmt.Sprintf(errFmt, filepath.Join(dir, "redis"))))
|
|
assert.EqualError(t, errs[9], fmt.Sprintf(errFmtSecretIOIssue, filepath.Join(dir, "redis-sentinel"), "session.redis.high_availability.sentinel_password", fmt.Sprintf(errFmt, filepath.Join(dir, "redis-sentinel"))))
|
|
assert.EqualError(t, errs[10], fmt.Sprintf(errFmtSecretIOIssue, filepath.Join(dir, "session"), "session.secret", fmt.Sprintf(errFmt, filepath.Join(dir, "session"))))
|
|
assert.EqualError(t, errs[11], fmt.Sprintf(errFmtSecretIOIssue, filepath.Join(dir, "tls"), "tls_key", fmt.Sprintf(errFmt, filepath.Join(dir, "tls"))))
|
|
}
|
|
|
|
func TestLoadShouldReturnErrWithoutValidator(t *testing.T) {
|
|
_, _, err := Load(nil, NewEnvironmentSource(DefaultEnvPrefix, DefaultEnvDelimiter))
|
|
assert.EqualError(t, err, "no validator provided")
|
|
}
|
|
|
|
func TestLoadShouldReturnErrWithoutSources(t *testing.T) {
|
|
_, _, err := Load(schema.NewStructValidator())
|
|
assert.EqualError(t, err, "no sources provided")
|
|
}
|
|
|
|
func TestShouldHaveNotifier(t *testing.T) {
|
|
testReset()
|
|
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"SESSION_SECRET", "abc"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"STORAGE_MYSQL_PASSWORD", "abc"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"JWT_SECRET", "abc"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"AUTHENTICATION_BACKEND_LDAP_PASSWORD", "abc"))
|
|
|
|
val := schema.NewStructValidator()
|
|
_, config, err := Load(val, NewDefaultSources([]string{"./test_resources/config.yml"}, DefaultEnvPrefix, DefaultEnvDelimiter)...)
|
|
|
|
assert.NoError(t, err)
|
|
assert.Len(t, val.Errors(), 0)
|
|
assert.Len(t, val.Warnings(), 0)
|
|
assert.NotNil(t, config.Notifier)
|
|
}
|
|
|
|
func TestShouldValidateConfigurationWithEnv(t *testing.T) {
|
|
testReset()
|
|
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"SESSION_SECRET", "abc"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"STORAGE_MYSQL_PASSWORD", "abc"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"JWT_SECRET", "abc"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"AUTHENTICATION_BACKEND_LDAP_PASSWORD", "abc"))
|
|
|
|
val := schema.NewStructValidator()
|
|
_, _, err := Load(val, NewDefaultSources([]string{"./test_resources/config.yml"}, DefaultEnvPrefix, DefaultEnvDelimiter)...)
|
|
|
|
assert.NoError(t, err)
|
|
assert.Len(t, val.Errors(), 0)
|
|
assert.Len(t, val.Warnings(), 0)
|
|
}
|
|
|
|
func TestShouldNotIgnoreInvalidEnvs(t *testing.T) {
|
|
testReset()
|
|
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"SESSION_SECRET", "an env session secret"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"STORAGE_MYSQL_PASSWORD", "an env storage mysql password"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"STORAGE_MYSQL", "a bad env"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"JWT_SECRET", "an env jwt secret"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"AUTHENTICATION_BACKEND_LDAP_PASSWORD", "an env authentication backend ldap password"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"AUTHENTICATION_BACKEND_LDAP_URL", "an env authentication backend ldap password"))
|
|
|
|
val := schema.NewStructValidator()
|
|
keys, _, err := Load(val, NewDefaultSources([]string{"./test_resources/config.yml"}, DefaultEnvPrefix, DefaultEnvDelimiter)...)
|
|
|
|
assert.NoError(t, err)
|
|
|
|
validator.ValidateKeys(keys, DefaultEnvPrefix, val)
|
|
|
|
require.Len(t, val.Warnings(), 1)
|
|
assert.Len(t, val.Errors(), 0)
|
|
|
|
assert.EqualError(t, val.Warnings()[0], fmt.Sprintf("configuration environment variable not expected: %sSTORAGE_MYSQL", DefaultEnvPrefix))
|
|
}
|
|
|
|
func TestShouldValidateAndRaiseErrorsOnNormalConfigurationAndSecret(t *testing.T) {
|
|
testReset()
|
|
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"SESSION_SECRET", "an env session secret"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"SESSION_SECRET_FILE", "./test_resources/example_secret"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"STORAGE_MYSQL_PASSWORD", "an env storage mysql password"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"JWT_SECRET_FILE", "./test_resources/example_secret"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"AUTHENTICATION_BACKEND_LDAP_PASSWORD", "an env authentication backend ldap password"))
|
|
|
|
val := schema.NewStructValidator()
|
|
_, config, err := Load(val, NewDefaultSources([]string{"./test_resources/config.yml"}, DefaultEnvPrefix, DefaultEnvDelimiter)...)
|
|
|
|
assert.NoError(t, err)
|
|
require.Len(t, val.Errors(), 1)
|
|
assert.Len(t, val.Warnings(), 0)
|
|
|
|
assert.EqualError(t, val.Errors()[0], "secrets: error loading secret into key 'session.secret': it's already defined in other configuration sources")
|
|
|
|
assert.Equal(t, "example_secret value", config.JWTSecret)
|
|
assert.Equal(t, "example_secret value", config.Session.Secret)
|
|
assert.Equal(t, "an env storage mysql password", config.Storage.MySQL.Password)
|
|
assert.Equal(t, "an env authentication backend ldap password", config.AuthenticationBackend.LDAP.Password)
|
|
}
|
|
|
|
func TestShouldRaiseIOErrOnUnreadableFile(t *testing.T) {
|
|
if runtime.GOOS == constWindows {
|
|
t.Skip("skipping test due to being on windows")
|
|
}
|
|
|
|
testReset()
|
|
|
|
dir, err := ioutil.TempDir("", "authelia-conf")
|
|
assert.NoError(t, err)
|
|
|
|
assert.NoError(t, os.WriteFile(filepath.Join(dir, "myconf.yml"), []byte("server:\n port: 9091\n"), 0000))
|
|
|
|
cfg := filepath.Join(dir, "myconf.yml")
|
|
|
|
val := schema.NewStructValidator()
|
|
_, _, err = Load(val, NewYAMLFileSource(cfg))
|
|
|
|
assert.NoError(t, err)
|
|
require.Len(t, val.Errors(), 1)
|
|
assert.Len(t, val.Warnings(), 0)
|
|
assert.EqualError(t, val.Errors()[0], fmt.Sprintf("failed to load configuration from yaml file(%s) source: open %s: permission denied", cfg, cfg))
|
|
}
|
|
|
|
func TestShouldValidateConfigurationWithEnvSecrets(t *testing.T) {
|
|
testReset()
|
|
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"SESSION_SECRET_FILE", "./test_resources/example_secret"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"STORAGE_MYSQL_PASSWORD_FILE", "./test_resources/example_secret"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"JWT_SECRET_FILE", "./test_resources/example_secret"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE", "./test_resources/example_secret"))
|
|
|
|
val := schema.NewStructValidator()
|
|
_, config, err := Load(val, NewDefaultSources([]string{"./test_resources/config.yml"}, DefaultEnvPrefix, DefaultEnvDelimiter)...)
|
|
|
|
assert.NoError(t, err)
|
|
assert.Len(t, val.Errors(), 0)
|
|
assert.Len(t, val.Warnings(), 0)
|
|
|
|
assert.Equal(t, "example_secret value", config.JWTSecret)
|
|
assert.Equal(t, "example_secret value", config.Session.Secret)
|
|
assert.Equal(t, "example_secret value", config.AuthenticationBackend.LDAP.Password)
|
|
assert.Equal(t, "example_secret value", config.Storage.MySQL.Password)
|
|
}
|
|
|
|
func TestShouldValidateAndRaiseErrorsOnBadConfiguration(t *testing.T) {
|
|
testReset()
|
|
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"SESSION_SECRET", "abc"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"STORAGE_MYSQL_PASSWORD", "abc"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"JWT_SECRET", "abc"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"AUTHENTICATION_BACKEND_LDAP_PASSWORD", "abc"))
|
|
|
|
val := schema.NewStructValidator()
|
|
keys, _, err := Load(val, NewDefaultSources([]string{"./test_resources/config_bad_keys.yml"}, DefaultEnvPrefix, DefaultEnvDelimiter)...)
|
|
|
|
assert.NoError(t, err)
|
|
|
|
validator.ValidateKeys(keys, DefaultEnvPrefix, val)
|
|
|
|
require.Len(t, val.Errors(), 2)
|
|
assert.Len(t, val.Warnings(), 0)
|
|
|
|
assert.EqualError(t, val.Errors()[0], "configuration key not expected: loggy_file")
|
|
assert.EqualError(t, val.Errors()[1], "invalid configuration key 'logs_level' was replaced by 'log.level'")
|
|
}
|
|
|
|
func TestShouldNotReadConfigurationOnFSAccessDenied(t *testing.T) {
|
|
if runtime.GOOS == constWindows {
|
|
t.Skip("skipping test due to being on windows")
|
|
}
|
|
|
|
testReset()
|
|
|
|
dir, err := ioutil.TempDir("", "authelia-config")
|
|
assert.NoError(t, err)
|
|
|
|
cfg := filepath.Join(dir, "config.yml")
|
|
assert.NoError(t, testCreateFile(filepath.Join(dir, "config.yml"), "port: 9091\n", 0000))
|
|
|
|
val := schema.NewStructValidator()
|
|
_, _, err = Load(val, NewYAMLFileSource(cfg))
|
|
|
|
assert.NoError(t, err)
|
|
require.Len(t, val.Errors(), 1)
|
|
|
|
assert.EqualError(t, val.Errors()[0], fmt.Sprintf("failed to load configuration from yaml file(%s) source: open %s: permission denied", cfg, cfg))
|
|
}
|
|
|
|
func TestShouldNotLoadDirectoryConfiguration(t *testing.T) {
|
|
testReset()
|
|
|
|
dir, err := ioutil.TempDir("", "authelia-config")
|
|
assert.NoError(t, err)
|
|
|
|
val := schema.NewStructValidator()
|
|
_, _, err = Load(val, NewYAMLFileSource(dir))
|
|
|
|
assert.NoError(t, err)
|
|
require.Len(t, val.Errors(), 1)
|
|
assert.Len(t, val.Warnings(), 0)
|
|
|
|
expectedErr := fmt.Sprintf(utils.GetExpectedErrTxt("yamlisdir"), dir)
|
|
assert.EqualError(t, val.Errors()[0], fmt.Sprintf("failed to load configuration from yaml file(%s) source: %s", dir, expectedErr))
|
|
}
|
|
|
|
func testReset() {
|
|
testUnsetEnvName("STORAGE_MYSQL")
|
|
testUnsetEnvName("JWT_SECRET")
|
|
testUnsetEnvName("DUO_API_SECRET_KEY")
|
|
testUnsetEnvName("SESSION_SECRET")
|
|
testUnsetEnvName("AUTHENTICATION_BACKEND_LDAP_PASSWORD")
|
|
testUnsetEnvName("AUTHENTICATION_BACKEND_LDAP_URL")
|
|
testUnsetEnvName("NOTIFIER_SMTP_PASSWORD")
|
|
testUnsetEnvName("SESSION_REDIS_PASSWORD")
|
|
testUnsetEnvName("SESSION_REDIS_HIGH_AVAILABILITY_SENTINEL_PASSWORD")
|
|
testUnsetEnvName("STORAGE_MYSQL_PASSWORD")
|
|
testUnsetEnvName("STORAGE_POSTGRES_PASSWORD")
|
|
testUnsetEnvName("TLS_KEY")
|
|
testUnsetEnvName("PORT")
|
|
testUnsetEnvName("IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY")
|
|
testUnsetEnvName("IDENTITY_PROVIDERS_OIDC_HMAC_SECRET")
|
|
}
|
|
|
|
func testUnsetEnvName(name string) {
|
|
_ = os.Unsetenv(DefaultEnvPrefix + name)
|
|
_ = os.Unsetenv(DefaultEnvPrefix + name + constSecretSuffix)
|
|
}
|
|
|
|
func testCreateFile(path, value string, perm os.FileMode) (err error) {
|
|
return os.WriteFile(path, []byte(value), perm)
|
|
}
|